Chapter 8 Network Security

Similar presentations

1 Chapter 8 Network SecurityA note on the use of these ppt slides:We’re making these slides freely available to all (faculty, students, readers). They’re in PowerPoint form so you can add, modify, and delete slides (including this one) and slide content to suit your needs. They obviously represent a lot of work on our part. In return for use, we only ask the following:If you use these slides (e.g., in a class) in substantially unaltered form, that you mention their source (after all, we’d like people to use our book!)If you post any slides in substantially unaltered form on a www site, that you note that they are adapted from (or perhaps identical to) our slides, and note our copyright of this material.Thanks and enjoy! JFK/KWRAll material copyrightJ.F Kurose and K.W. Ross, All Rights ReservedComputer Networking: A Top Down Approach Featuring the Internet, 3rd edition. Jim Kurose, Keith Ross Addison-Wesley, July 2004.8: Network Security

4 What is network security?Confidentiality: only sender, intended receiver should “understand” message contentssender encrypts messagereceiver decrypts messageAuthentication: sender, receiver want to confirm identity of each otherMessage Integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detectionAccess and Availability: services must be accessible and available to users8: Network Security

7 There are bad guys (and girls) out there!Q: What can a “bad guy” do?A: a lot!eavesdrop: intercept messagesactively insert messages into connectionimpersonation: can fake (spoof) source address in packet (or any field in packet)hijacking: “take over” ongoing connection by removing sender or receiver, inserting himself in placedenial of service: prevent service from being used by others (e.g., by overloading resources)more on this later ……8: Network Security

15 Public Key Cryptographysymmetric key cryptorequires sender, receiver know shared secret keyQ: how to agree on key in first place (particularly if never “met”)?public key cryptographyradically different approach [Diffie-Hellman76, RSA78]sender, receiver do not share secret keypublic encryption key known to allprivate decryption key known only to receiver8: Network Security

22 RSA: another important propertyThe following property will be very useful later:K (K (m)) = mB-+K (K (m))=use public key first, followed by private keyuse private key first, followed by public keyResult is the same!8: Network Security

35 ap5.0: security holeMan (woman) in the middle attack: Trudy poses as Alice (to Bob) and as Bob (to Alice)Difficult to detect:Bob receives everything that Alice sends, and vice versa. (e.g., so Bob, Alice can meet one week later and recall conversation)problem is that Trudy receives all messages as well!8: Network Security

57 Limitations of firewalls and gatewaysIP spoofing: router can’t know if data “really” comes from claimed sourceif multiple app’s. need special treatment, each has own app. gateway.client software must know how to contact gateway.e.g., must set IP address of proxy in Web browserfilters often use all or nothing policy for UDP.tradeoff: degree of communication with outside world, level of securitymany highly protected sites still suffer from attacks.8: Network Security